Wednesday, October 19, 2011
John KYRIAZOGLOU, M.S., B.A (Hon.), Management Consultant
Author of ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (www.itgovernance.co.uk),
And co-author of ‘CORPORATE CONTROLS’, to be published by www.theiic.org, by 12/2011
A question was recently put in a discussion group whether corporate controls were indeed necessary in the present DIGITAL SOCIETY and ECONOMY.
My comments follow:
We live, at least in most Western countries, in a post-industrial society, in the knowledge society, also known as the information society. The new life-style (modus vivendi, in the sociological vernacular) enforces upon all of us a new set of operational factors and transactional characteristics in our societal and human interactions, a new socio-economic operating mode (modus operandi in the sociological vernacular).
This set of social interactions is permeated and driven by several socio-technical factors and functional characteristics, such as:
(a)Globalization of markets,
(b)Liberalization of markets,
(d)Lack of governance controls in international fiscal and financial markets, transactions and activities,
(e)Very fast developments in the fields of Information Technology, Communications, Biology, Medicine, Management, etc.,
(f) Information plurality, diffusion and potential information over-loading, Increase of the leverage and focus on the needs of customers, the so-called customer-focus approach in all dealings,
(g) Differentiation of the needs and increase of the expectations of better provision of services to citizens, the so-called citizen-based service approach in all public-sector exchanges and transactions, and
(h) Reduction and de-strengthening of the traditional government model of a large central organization to a model of organization based on a de-centralized approach.
All of these, interacting and inter-connected in different sets, make up a new social, economic, technological, moral and political framework, within which society, economy, enterprises, government, non-profit organizations, communities, citizens, etc., operate and function productively.
New and more complicated roles are being created for the state (central administration, regional forms of government, local governments, etc.), for the business entities (small size, middle size, large size, conglomerate, international enterprises, etc.), and for organizations of the main public sector and related public regulatory authorities, with greater expectations for improved quality of life, and socio-economic advancement and development, in all industrial sectors and socio-economic environments.
The noted management guru Charles Handy supports the view that we must re-examine the basic principles that govern the running of enterprises and think from scratch of what is the basic objective of doing business.
At the level of organizations (private, public, non-profit, non-governmental, etc.) rapid changes are taking place on a continuous basis. This is due to the impact of innovative approaches of researching and designing new products and services (e.g., via the Web), the tremendous effect of quick and accurate information provided by ITC (Information Technology and Communications) infrastructure and systems, and to the new asset evaluating models.
Traditionally, organizations (at least in the private, for-profit sector) valued only physical assets (buildings, land, vehicles, heavy equipment, installations, plants, etc.), sales inventories, and profits. Presently, technology know-how, good-will and brand names, computer systems and application software, office automated support tools (Excel spreadsheet applications, etc.), electronic commerce and electronic data distribution services, etc., must also be added as valued assets to the balance sheet of organizations.
The model and the role of the classical state is also changing, within the framework of the European Union, as well as within the framework of the international environment, with the approach of electronic government, the model for citizen one-stop shop services, and the devolvement of authorities and responsibilities to the regional and local level (prefecture, wide metropolitan area governments, city level, community, neighborhood level), etc.
All these new and very quickly developed roles are required for:
(1) Quicker and more effective service (in relation to costs and benefits)
(2) Better management and more efficient use of global resources
(3) More proper (ethical, ecology-friendly) resource management by all industries, in all countries
(4) Continuous improvement in the quality of products and services provided, in social and citizen participation, in the commitment to democratic institutions and customer services, for all stakeholders (people and organizations)
(5) Minimization if not total reduction of social, public sector and business fraud and corruption
(6) Better understanding of what has gone wrong in private and public organizations and what must be done to get things right.
All of these may be implemented on the basis of strategy (organizational philosophy, external regulations, strategy, risk and change management, and performance measurement) and management controls (at the strategic and operational levels, a management information system, and the reporting, communications, audit , monitoring and review activities), i.e. the two complementary support pillars of a Corporate Controls Framework.
The socio-economic needs in the present DIGITAL SOCIETY and ECONOMY for the establishment and existence of a Corporate Controls Framework to cover both the historical context (i.e. conformance) and the future forward-looking view (i.e. performance) will be based on the major concept that for the achievement of all of the above, there exists a requirement for the design and implementation of a new operating model for private corporations and public organizations, consisting of:
(i) creation and implementation of strategic objectives,
(ii) best and most optimal use of resources (social, corporate),
(iii) measurement of produced and delivered goods, services and target achievements,
(iv) monitoring and improvement efforts on a timely and continuous basis, in other words on performance, and
(v) a set of strategic and operational controls which includes a Compliance Monitoring and Performance Management Systems for collecting performance data, monitoring, reviewing, and improving performance and compliance.
All of these are very critical and should be studied further and practical solutions proposed by think tanks, professional societies, scientists and researchers across the globe.
Monday, October 17, 2011
A question was recently put in a BLOG, whether CYBER DIPLOMACY should be studied and pursued as a distinct activity.
I think that CYBER DIPLOMACY should be a field of study and a practice on its own.
The term ‘CYBER’ is referring to the science of cybernetics, and it is derived from the Greek verb ‘ΚΥΒΕΡΝΑΩ’ (‘Kybernao’), which means ‘TO STEER’ and which is the root of our present concept ‘TO GOVERN’. It describes both the idea of NAVIGATION through a space of interconnected networks of computers and electronic data, and of CONTROLS which is achieved by manipulating those NETWORKS and DATA.
The term ‘DIPLOMACY’ is referring to the art, methods and practice of conducting negotiations between representatives of groups, local or international organizations (e.g. U.N.), or sovereign (e.g. U.S.) or semi-sovereign states (Canadian Province, Australian States, etc.). It is derived from the Greek word DIPLOMA, which means ‘LICENCE’ or ‘CHART’ (originally defining a paper folded in a double manner).
Negotiation is a DIALOGUE between two or more parties, intended to reach an understanding, resolve point of difference, etc., and finally to produce an agreement upon a course of action to settle the issues to a satisfactory level for both parties.
In its current version DIPLOMACY pertains to the conduct of international relations through the interactive activities of NEGOTIATION of professional diplomats with regard to issues of trade, human rights, peace-making, war, economics, environment, trade, etc.
To these issues, it is prudent to add the CYBER ISSUES. And as Secretary of State Hillary Rodham Clinton proclaimed (February 15, 2011): “The Internet has become the public space of the 21st century…We all shape and are shaped by what happens there, all 2 billion of us and counting. And that presents a challenge. To maintain an Internet that delivers the greatest possible benefits to the world, we need to have a serious conversation about the principles that will guide us…”
Also as we all rely, more and more, on computers and the internet now (communications, email, cellphones, entertainment, car engine systems, airplane navigation control systems, online stores, credit cards, medical equipment, medical records, etc.), weak-technologically nations are at a big disadvantage vis-à-vis their strong-technologically nations
For all these reasons, and to resolve the most critical issues in today’s societies related to the CYBERSPACE and its best use, exploitation and control, CYBER DIPLOMACY should be instituted, both as a field of study as well as a set of activities to be carried out by the DIPLOMATS, in order to reach a more harmonic balance in the international activities of nations.
Saturday, October 15, 2011
CORPORATE CONTROLS BOOK
To be published by the end of 2011
John KYRIAZOGLOU, CICA, M.S., B.A (Hon.)
and Dr. Frank Nasuti, Ph.D., CPA, CICA, CFE
with Dr. C. J. Kyriazoglou, Ph.D., MSc.
This book is about corporate controls and how they enable and support all management levels of the organization (top, middle, and lower) to accomplish strategic and operational goals and specific time-bound business objectives. Corporate controls, also, facilitate all these management levels to function most effectively and efficiently, and in a beneficial way both to its stakeholders and to society, at large. The stated mission of this book is to provide a set of such Corporate Controls, and their design, implementation and audit issues. Methodological processes are only described as to how controls are designed, implemented and audited.
The book is structured in three parts and an appendix, as noted below:
PART A: BASIC TERMS AND CONCEPTS
Chapter 1: Introduction to Management, Regulations and Controls, andThis chapter describes the basic concepts of management, regulations and controls, such as: Management Roles, Levels of Management Structure, Legal and Religious Systems, International Regulations and Guidelines, and Key Concepts of Management Controls.
Chapter 2: Proposed Organizational Controls Framework
This chapter describes the current socio-economic environment within which organizations and people operate, presents the most prevalent regulatory control frameworks, presents a diagram depicting the social and economic needs and drivers for the existence of an Organizational Controls Framework, analyzes the characteristics of competitive advantage and how organizational controls interact and support them, and outlines the basic building blocks of the proposed Organizational Controls Framework.
PART B: MAIN ORGANIZATIONAL CONTROLS
Chapter 3: Corporate Philosophy Controls
This chapter describes the main Corporate Philosophy Controls, such as: Vision, Mission, and Values Statements, Corporate Social Responsibility Policy, and Corporate Ethics (Policy, Office, Committee, and Program). Also the purpose of organizational philosophy controls, two models for creating a corporate ethics policy, examples of vision, mission and values statements, and a corporate ethics policy are presented. In addition to these a set of review and audit tools and techniques are depicted, such as:
Corporate Vision, Mission, and Values Statements Checklist,Departmental Corporate Vision, Mission, and Values Statements Checklist, Corporate Ethics Program and Policy Checklists, and
Corporate Fraud Management Checklist.
Chapter 4: Corporate Governance Controls
This chapter describes the main Corporate Governance Controls, such as: Board of Directors Charter, Corporate Committees (for Audit, Benefits and Personnel, Information Technology, Financial Issues, and Business Continuity), Corporate Policies (for Financial Accounting, Customer Relations, Fraud and Theft, Community Relations, Health and Safety, and Environment Management, and
Corporate Processes and Plans (for Performance Management, Internal Audit, Risk Management, Business Continuity Plan, Transaction Authorization Controls, Corporate Compliance Officer). Also examples of (a) charters for a board of directors, an audit committee, and a business continuity issues committee, (b) several policies (such as: customer relations, fraud and theft, community relations, health and safety, environment management, fixed asset management, and performance management), (c) a risk management process (with three steps), (d) a business continuity plan, and (e) corporate governance performance measures, are presented. In addition to these the following audit programs and checklists are described:
Internal Controls Framework Checklist,Business Continuity Audit Review Program, and
Generic Performance Audit Program.
Chapter 5: Strategic Management Controls
This chapter describes the main Strategic Management Controls, such as: Corporate Strategic Planning Committee, Strategic Plans, Strategic Budgets, Strategy Implementation Action Plans, and
Performance Management Framework. Also examples of (a) a charter of a strategic planning committee, (b) strategies, mission, vision, and values statements, (c) a strategic process methodology and a performance measurement procedure, (d) a corporate strategic plan and a strategy implementation plan, and (e) strategic performance measures, are presented. In addition to these the following audit checklists are described: Strategic Readiness Checklist, Business Idea Development Checklist, and Corporate Strategic Plan Checklist.
Chapter 6: Financial Controls
This chapter describes the main types of financial controls, such as: Financial Organization Controls (Financial Issues Committee, Function of the Controller, Accounting Manager – Job Description, and Budget Department), Financial Policies and Procedures (Financial Accounting Controls Policy, Financial Accounting Procedures, Financial Revenue Procedures, and Budgeting Procedure), General Ledger Controls (Chart of accounts, General Ledger, Trial balance, and Financial Statements), and Computerized Financial Systems (General Ledger (GL) Systems, Customer Invoicing (CI) Systems, Accounts Payable (AP) Systems, Customer Orders / Sales Processing (COP) Systems, and Payroll Systems). Also examples of (a) a charter of a financial issues committee, (b) a financial accounting controls policy (c) two budget formulation methodologies and a budgeting procedure, (d) two budget plans (income and expenses, and strategic initiatives), and (e) financial performance measures, are presented.In addition to these the following audit programs and checklists are described: Detail Management Controls Checklist, Financial Management Controls Checklist, and Asset Management Controls Checklist.
Chapter 7: Administrative Controls
This chapter describes the main types of administrative controls, such as: Administrative Organizational Controls (Corporate Committees, and Departmental Terms of Reference), Administrative Procedures (Procedures Manual, Files, Documents and Records Management Procedures, Confidential Information Release Procedures, Management Reporting Procedures, Asset Protection Procedures, Legal Procedures, etc.), Administrative Office Controls ( Physical Security Controls, Mail Controls, EDI Controls, Facsimile Transmission Controls, daily activities controls, etc.), and
Policies, Procedures and Forms Controls.Also examples of (a) the terms of reference for a production planning department, (b) the contents of an administrative procedures manual, (c) the clauses of an EDI standard contract, (d) five administrative forms (activities journal, visitors log, securities incidents log, problems log and mail log), and (e) administrative performance measures, are presented.
In addition to these the following audit checklists are described:
Internal Controls System: Policies and Procedures Checklist,
Departmental Terms of Reference Checklist,
Records Management System Checklist, and
Legal Issues Checklist.
Chapter 8: Human Resource Controls
This chapter describes the main types of human resource controls, such as: Human Rights Policy, Benefits and Personnel Committee,
Personnel Management Controls, Employee Management Policies and Procedures Handbook, and Human Resources (HR) Systems.
Also examples of (a) a human rights policy, (b) the contents of the charter of a benefits and personnel committee, (c) the job description of a CIO, (d) the contents of an employee management policies and procedures handbook, and (e) human resource performance measures, are presented.In addition to these the following audit programs and checklists are described:
Human Resources Management System Checklist,
Personnel Responsibilities and Skills Checklist, and
Personnel Management Audit Program.
Chapter 9: Production Controls
This chapter describes the main types of production controls, such as: Operations Policies and Procedures (Purchasing Process and Procedural Controls, and Inventory Control Procedures), Manufacturing Process Controls, Manufacturing Process Controls (New Product Development Controls, Bill of Materials (BOM) File, Master Production Schedule (MPS), Material Requirements Planning (MRP), Inventory Master Records (IMR) File, Inventory Transactions File, Preventive Maintenance Controls), Computerized Production Information Systems (Material Requirements Planning (MRP) System, Cost Accounting (CA) System, Production planning and control (PPC) system, Enterprise Resource Planning (ERP) system),Quality Management Controls, Standardization Procedures, Project Management Controls, Performance Management Controls, and Production Performance Measures.Also examples of (a) a quality management policy, (b) the steps of a methodology for establishing operational policies and procedures, (c) a purchasing process, (d) a procurement procedure, and (e) production performance measures for innovation, inventory control, manufacturing, production cost, service productivity, supply chain, and quality, are presented. In addition to these the following audit programs and checklists are described:
Production Process Audit Program,
Purchasing Controls Checklist,
Inventory Controls Checklist, and
Quality Management Controls Checklist.
Chapter 10: Information Technology (IT) Controls
This chapter describes (in summary form) the main IT Controls, such as: IT Organization Controls, IT Administration Controls, IT Strategy Controls, System Development Controls, IT Security Controls, IT Operational Controls, IT Technical Controls, Computerized Application Controls, and IT Performance Management Controls. In addition to these the following audit programs and checklists are described:
IT Terms of Reference Checklist,
IT Vision, Mission, and Values Checklist,
IT Strategic Planning Checklist,
IT Technology Coverage Checklist, and
IT Performance Assessment Audit Program.
PART C: DESIGN, IMPLEMENTATION AND MONITORING OF CONTROLS
The purpose of this part is to identify and propose the elements required to design, implement and monitor strategic and operational control systems more efficiently and effectively.
This part contains three chapters:
Chapter 11: Designing Strategic and Operational Controls
This chapter describes how to design strategic and operational controls for organizations, and the various elements required by the organizations to carry out the design process the best way. The contents of this chapter are:Strategic and Operational Controls,
Objectives of a Strategic and Operational Control System,
Selecting a Strategic and Operational Control System,
Designing Strategic Management Controls,
Duties, Responsibilities, and Conflicts of Interest,
Key Issues in Designing Strategic and Operational Controls,
Frameworks for Implementing Strategic Controls, and
Comparative Analysis of Frameworks.
Also examples of (a) a strategic controls process and a corporate policies and procedures management plan, (b) a conflicts of interest policy, (c) the control duties and responsibilities of a CIO and a board of directors, (d) a BSC for a public ministry and a BSC for a large construction company, and (e) performance measures for designing controls, are presented.
In addition to these the following checklists are described:
Strategic Management Controls Checklist, and
Organizational Controls Readiness Checklist.
CHAPTER 12: Implementing Strategic and Operational Controls with the BSC
This chapter describes how to implement strategic and operational controls for organizations, and the various elements required by the organizations to carry out the implementation process the best way. The contents of this chapter are:The rationale for BSC development and implementation,
The BSC general implementation process,
BSC Detail Implementation Approaches, and
The critical success factors in implementing strategic controls.
Also examples of (a) a Full-Scale Methodology for implementing BSC, and a Quick way approach for implementing BSC, (b) the contents of a BSC implementation plan, BSC responsibilities, and a performance dictionary, (c) an employee performance review policy, (d) linking the various BSC components, and (e) performance measures for implementing controls, are presented.
In addition to these the following checklists are described:
BSC Implementation Checklist,
Strategic Controls Implementation Checklist, and
Strategic and Operational Controls Checklist.
Chapter 13: Monitoring and Review Controls
This chapter discusses the purpose and main types of monitoring and review controls, and describes the following controls, such as:Monitoring Controls System,
Monitoring implementation of the strategic plan,
Monitoring implementation of policies and procedures (Continuous management monitoring procedures, Communicating performance information procedure, Management reports monitoring procedures, and Data Quality Monitoring Procedures), and Review and compliance controls (Internal Audit Process, Corporate Compliance Officer, Daily Activities Review Controls, Computer Security Monitoring and Review Procedures, The Corporate Governance Information System, External-Assessment Procedures, and Self-Assessment Procedures).
Also examples of (a) a data improvement methodology, (b) the contents of an internal audit report, (c) the contents of a customer satisfaction survey, (d) a Corporate Intelligence Monitoring Management Plan, and (d) performance measures for monitoring controls, are presented.
In addition to these the following audit programs and checklists are described:
Organizational Controls Monitoring Audit Program,
Communications System Review Checklist,
Internal Audit Checklist,
Monitoring Strategic Plan Checklist,
Monitoring Corporate Controls Checklist, and
Monitoring IT Controls Checklist.
Appendix 1. The Code of HammurabiAppendix 2. The Ten Laws of Solon
Appendix 3. The Maxims of the Oracle of Delphi
Appendix 4. Examples of BSC Implementations
Appendix 5. Strategic Analysis and Assessment Methods and Tools
Appendix 6. Chief Information Officer – Job Description
Appendix 7. List of Audit and Review Programs
Appendix 8. List of Audit and Review Checklists
John KYRIAZOGLOU, CICA, M.S., B.A (Hon.)
and Dr. Frank Nasuti, Ph.D., CPA, CICA, CFE
with Dr. C. J. Kyriazoglou, Ph.D., MSc.
IT STRATEGIC AND OPERATIONAL CONTROLS*
By John KYRIAZOGLOU, CICA, M.S., B.A (Hon.)
*This is summary of the following book
==== TITLE: 'IT STRATEGIC AND OPERATIONAL CONTROLS’ =====
PRINTED VERSION: www.itgovernance.co.uk/products/3066
E-BOOK FORMAT VERSION: www.itgovernance.co.uk/products/3067
ADDENDUM TO THE BOOK (Customisable IT Audit Programmes and Checklists
(WORD FORMAT): www.itgovernance.co.uk/products/3143
These can also be purchased from www.itgovernanceusa.com,
itgovernanceasia.com and other major world distributors (e.g. AMAZON), etc.) and bookstores in several countries (England, India, Switzerland, Italy, Germany, Poland, Brazil, Canada, Australia, Japan, etc.).
Author: John Kyriazoglou, Publisher: IT Governance Publishing
ISBN: 978-1-84928-061-7, Pages: 686, Format: Softcover, Date: 2 September 2010
This book is about Information Technology (IT) Strategic and Operational Controls. IT controls (policies, procedures, forms, practices, audit programs, and checklists, etc.) enable and support all management levels of the organization (top, middle, and lower) to accomplish the IT strategic and operational goals of the organization. The book covers all the IT areas, such as: IT Organization Controls, IT Administration Controls, Enterprise Architecture Controls, IT Strategic Controls, System Development Controls, IT Security Controls, Data Center Operational and Support Controls, Systems Software Controls, Computerized Application Controls, and Using IT Controls in Audit and Consulting Assignments. Also the Appendix of the book contains examples of IT Security Policies, several examples of IT Forms, an IT Audit Methodology, a list of IT Audit Areas, an Internal Audit Report example, etc.
ADDENDUM to IT STRATEGIC AND OPERATIONAL CONTROLS
ISBN 978-1-84928-075-4. This separate volume contains Customisable IT audit programmes and checklists in word format.
BENEFITS OF THE BOOK
This book can guide, facilitate, enable, support and assist Organizations, Senior Executives, Boards, Managers, Professors, IT Professionals, and Auditors: (1) in organizing, managing, controlling, dealing with, reviewing and improving IT operations and activities is the areas of Organization, Administration, Strategy, Contingency Planning and Disaster Recovery, System Development, Software Quality, Data Center Operations, etc.), (2) in Internal and External IT AUDITING activities including possible aversion and detection of ECONOMIC AND HIGH-TECH CRIMES, (3) in UNIVERSITY EDUCATIONAL and Professional Training Programs for the areas of IT, BUSINESS ADMINISTRATION, MANAGERIAL ACCOUNTING AND CONTROL, COMPUTER SCIENCE, Information Management, Commerce, Finance, Accounting, Banking, Operations Management, etc., and (4) in CERTIFYING PROFESSIONALS IN IT CONTROLS and IT AUDITING.
'I wholeheartedly recommend this book to senior and operations managers who are the ultimate users of IT and who need to ensure that the information they receive is relevant, accurate, timely and, more importantly, the result of systems which are well controlled. Both internal and external auditors will find reference to a large number of very relevant tools for use in auditing and reviewing IT operations. I also highly recommend this book to any students studying for a degree that includes an auditing and IT module as part of their programme."
ENDORSEMENTS OF THE BOOK AND THE AUTHOR
Professor Georges M Selim, Emeritus Professor and Former Head of the Faculty of Management, Cass Business School, London, U.K. (See also ‘FOREWORD’ Section in the book)
"John is highly experienced IT professional with extensive practical and theoretical knowledge. He is capable of managing complex engagements and maintains excellent relations with clients and peers. He is also a distinguished writer of both technical books as well as literature. Working with John is a professional and personal pleasure."
George Raounas, Partner, KPMG Advisory Services, Greece.
"Mr John Kyriazoglou is a multi-talented personality. His technical and managerial skills together with his deep knowledge and expertise, can guarantee the successful completion of any IT project. He is a writer of technical as well of philosophical books being capable of balancing hi tech expertise with humanities. I have the pleasure of knowing him and working with him for many years. He has always been a teacher to me, providing me with his expertise, as well as his advice and care."
Michael Hadjiefthymiou, IT Audit Manager at a major Greek Bank
SUMMARY OF BOOK CHAPTERS
Chapter 1: IT Organization Controls
This chapter describes the main IT Organization Controls, such as: IT Department Functional Description Controls, IT Organizational Controls, IT Vision, Mission and Values, Monitoring and Review Controls, IT Control Frameworks, and IT Organization Performance Measures. Also examples of (a) IT terms of reference, (b) the contents of four IT control frameworks (COBIT, ITIL, ISO/IEC 38500, and The Calder-Moir IT Governance Framework), and (c) IT organization performance measures, are presented.
In addition to these a set of audit programs and checklists are described, such as: IT Terms of Reference Checklist, IT Organizational Assessment Audit Program, IT Functional Assessment Audit Program, etc.
Chapter 2: IT Administration Controls
This chapter describes the main IT Administration Controls, such as: IT Standards, Policies and Procedures, IT Budget, IT Asset Controls, IT Personnel Management Controls, IT Purchasing Controls, IT Management Reporting, and IT Administration Performance Measures. Also examples of (a) an IT budget, (b) IT personnel job descriptions of a Chief Information Officer, Business Systems Analyst, Application Systems Analyst, etc., and (c) IT administration performance measures, are presented. In addition to these the following audit programs and checklists are described: IT Personnel Management Controls Audit Program, IT Procedures Audit Program, Standards Checklist and Segregation of Duties Checklist.
Chapter 3: Enterprise Architecture Controls
This chapter describes the main Enterprise Architecture Controls, such as: Enterprise Architecture Frameworks, Enterprise or Operating Model of the Organization, Business Process Narratives, Enterprise Architecture Repository, etc., and Enterprise Architecture Performance Measures. Also examples of (a) strategies, general goals, and objectives, (b) mission, vision, and values statements, and (c) a corporate ethics policy are presented.
In addition to these a set of audit checklists are described, such as: Enterprise Architecture Framework Checklist, Corporate Vision, Mission, and Values Statements Checklist, and Corporate Strategic Plan Checklist.
Chapter 4: IT Strategic Controls
This chapter describes the main IT Strategic Controls, such as: IT Strategic Process Controls, IT Strategy Implementation and Monitoring Controls, and IT Strategic Performance Management Controls. Also examples of (a) an IT Strategy Analysis Methodology, (b) an IT Strategy Implementation Action Plan, (c) the contents of an IT strategic plan and an IT Performance Management Policy, and (d) an IT Balanced Scorecard and IT strategic performance measures, are presented.
In addition to these the following audit programs and checklists are described: IT Strategic Planning Checklist, IT BSC Implementation Checklist, IT Strategic Controls Implementation Checklist, IT Performance Assessment Audit Program, and CIO Business Plan Assessment Audit Program.
Chapter 5: System Development Controls
This chapter describes the main IT System Development Controls, such as: Application Development Controls, IT Systems Testing Methodology, End User Application Development Controls, Audit Trails, Software Package Controls, and System Development Quality Controls. Also examples of:(a) methodologies for systems development,
(b) the contents of a feasibility study, a systems analysis and design document, an application documentation set, an audit trail, an IT acceptance procedure and an IT application test plan,
(c) the contents of test forms,
(d) the contents of the documents of a software package purchase process, and (e) system development performance measures, are presented.
In addition to these the following audit programs and checklists are described: IT Data Management Controls Checklist, Documentation Checklist, System Development Strategy Checklist, System Development and Maintenance Checklist, End User Application Development Checklist, Software Requirements Specification Checklist, and Software Feasibility Approval Checklist.
This chapter describes the main IT Security Controls, such as: IT Security Guidelines and Standards, IT Security Policies and Plans, Computer Operations Controls, Personnel Security Management Controls, End User Security Administration Controls, Social Engineering Controls, Password Controls, IT Technical Protection Controls, Other Management Controls, Security Organizational Controls, and IT Security Performance Measures.
Chapter 6: IT Security Controls
Also examples of: (a) the contents of an IT security management plan,
(b) the contents of a systems development security plan, and a site security handbook
(c) the contents of a physical and environmental security program, and
(d) IT security performance measures, are presented.
In addition to these the following audit program and checklists are described: IT Security Audit Program, IT Security Policy Checklist, and Logical Security Controls Checklist.
Chapter 7: Data Center Operational and Support Controls
This chapter describes the main Data Center Operational and Support Controls, such as: Data Centre Controls, IT Contingency Planning and Disaster Recovery Controls, Hardware Controls, and Personal Computers Controls. Also examples of (a) an IT contingency planning methodology, (b) a personal computers use policy and safe operations procedure, (c) the contents of a vital records package and an IT disaster recovery plan, (d) a set of forms to manage various IT issues, and (e) IT operational performance measures, are presented.
In addition to these the following audit checklists are described: Physical Security Checklist, Environmental Issues Checklist, Production Environment Issues Checklist, Data Centre Management Checklist, Backup and Recovery Checklist, IT Disaster Recovery Checklist, and Personal Computers Checklist.
Chapter 8: Systems Software Controls
This chapter describes the main Systems Software Controls, such as: Systems Operating Environment Controls, Data Base Controls, Data Communications Controls, Audit Trail Controls, and Operating System, Data Base and Data Communications software Change Management Controls.
Also examples of (a) the software suppliers maintenance procedure, (b) the system software management process, (c) the contents of a data communications management plan, and an audit trail record, (d) a set of forms to manage the changes to system software, and (e) IT technical performance measures, are presented.
In addition to these the following audit programs and checklists are described: Systems Software Management Audit Program, System Software Acquisition Checklist, Systems Software Operation Checklist, Data Management Checklist, Data Base and Data Communications Checklist, Data Base Management System Checklist, Data Networking Audit Program, and Data Communications Checklist.
Chapter 9: Computerized Application Controls
This chapter describes the main Computerized Application Controls, such as: Input Controls, Processing Controls, Output Controls, Database Controls, Change Controls, and Testing Controls. Also examples of (a) a test methodology, (b) a test plan and an application audit trail record, (c) an organizational structure for application software testing, (d) a set of forms to manage the application software development and testing process, and (e) computerized application performance measures, are presented.
In addition to these the following audit programs are described: Computerized Application Controls Audit Program, Computerized Application Quality Audit Program, Post Implementation Review Audit Program, Web Applications Checklist, and Monitoring IT Application Controls Checklist.
Chapter 10: Using IT Controls in Audit and Consulting Assignments
This chapter contains three case studies and one IT audit assignment to improve the understanding of the IT controls contained in chapter 1 to 9 and the appendix of this book. These are: Retail Operation: IT Strategy Case Study, Trading Company: Applications Controls Case Study, Public Organization: IT Security Case Study, and IT Audit Assignment for Organization ‘ABCXYZ’.
Appendix 1: Examples of IT Security Policies
Appendix 2: IT Ethics Code-Example
Appendix 3: Monitoring IT Controls Checklist
Appendix 4: Examples of IT Forms
Appendix 5: IT Audit Methodology
Appendix 6: IT Audit Areas
Appendix 7: Internal Audit Report-Example
Appendix 8: Review Questions and Answers (for each chapter of this book)
Appendix 9. List of Governance and Control Frameworks.
PERFORMANCE MEASUREMENT for Private and Public Organizations
Authors: John Kyriazoglou& Despina Politou.Publisher: www.iwn.gr, 2005
SUMMARY- BOOK WRITTEN IN GREEK
PART A: Performance Measurement Framework
CHAPTER A.1: Performance Management Framework (PMF): Summary and Description of Main Parts (Governance, Strategy and Objectives, Policies, Procedures and Standards, Performance Indicators, Performance System and Human Resources, Project Management, Technical Support, Evaluation and Progress Reporting)
CHAPTER A.2: PMF Part A: Governance, Strategy and Objectives (Full description of each component and their role in the PMF framework)
CHAPTER A.3: PMF Part B: Policies, Procedures and Standards (Full description of each component and their role in the PMF framework)
CHAPTER A.4: PMF Part C: Performance Indicators, Performance Targets, initiatives and Human Resources (Full description of each component and their role in the PMF framework)
CHAPTER A.5: Performance Information System (Description of: information systems life-cycle approach in developing and operating information systems, designing and running the performance information system, procuring and installing a ready-made performance software package, software risks and information technology project deliverables).
REVIEW QUESTIONS: A set of questions for the critical concepts and issues contained in PART A.
PART B: Performance Frameworks, Evaluation Tools and Public Sector Performance Measurement Experience USA, England, Denmark, Austria, Ireland)
CHAPTER B.1: Description of the Balanced Scorecard Approach (perspectives, objectives, measures, targets, initiatives, and their inter-relationships), description of sample BSC cases for a private company as well as for the public sector, the problems and benefits of the BSC approach, and answers to the critical issues pertaining to the implementation of the BSC Framework.
CHAPTER B.2: Description of non-BSC Approaches, such as: CAF, TQM, Benchmarking, etc. Description of the problems and benefits of these approaches, and comparative analysis of all the methodological frameworks: BSC, CAF, TQM and Benchmarking.
CHAPTER B.3: Full description of the evaluation questionnaire regarding the readiness of an enterprise to adopt and implement Performance Measurement Systems.
CHAPTER B.4: Full description of the evaluation questionnaire regarding the application and penetration of Performance Measurement Systems.
CHAPTER B.5: Full description of the experience and the application (policies, implementation steps, performance frameworks, tools, etc.) of Performance Measurement Systems in the public sector of five advanced countries: USA, England, Denmark, Ireland, and Austria.
REVIEW QUESTIONS: A set of questions for the critical concepts and issues contained in PART B.
PART C: Creation of the Enterprise (Private, Public) that manages its own performance
CHAPTER C.1: Description of a methodology for the implementation of a performance measurement system to the needs of a specific private enterprise or public organization on the basis of several phases: performance needs analysis, design of the performance project, development of BSC pilots, and the performance information system, implementation of the performance system, the BSCs and the information system, and the evaluation of the specific Performance Measurement System implementation.
CHAPTER C.2: Description of a Project Management Methodology that may be used in performance measurement systems implementations, as described in Chapter C.1., previously, containing the following set of activities: project organization & administration, project planning, project support, project monitoring, project activities evaluation, project reporting, technical support, project activities auditing, risk assessment & resolution, change management, communication, management support and sponsorship, human resources and external parties management, etc.
CHAPTER C.3: Description of a quick method to implement a Balanced Scorecard as a performance measurement system on the basis of several steps: preparation, interviews (several rounds), workshops (several), implementation of a BSC, and periodic reviews of the total effort. Also the description of several example BSC cases.
CHAPTER C.4: Description of the design and implementation strategy for the effective construction and deployment of functional balanced scorecards in two corporate functions: human resource management and information technology. Also an analysis of two practical case studies in these two areas.
CHAPTER C.5: Summarized description of three Balanced Scorecard case studies, in the areas of: Local Authority (City of Charlotte, USA), International Conglomerate (ABB), and the health care sector (USA: two hospitals, CANADA: over 30 public hospitals in Ontario and British Columbia).
CHAPTER C.6: Analysis of the benefits accrued due to the implementation and full use of the BSC method on the basis of the data of a set of over 70 Balanced Scorecard cases on an international level (America, Europe, Asia, Africa, Oceania). Also the summary presentation of the results documented in a Canadian evaluation study on the basis of specific criteria.
REVIEW QUESTIONS: A set of questions for the critical concepts and issues contained in PART C.
Glossary of PERFORMANCE Concepts and Terms
Resources (Bibliography, Web References, Addresses of Professional Societies, Addresses of Consulting Firms on BSC, etc)
Summary of book contents in English
PERFORMANCE MEASUREMENT for Private and Public Organizations
Authors: John Kyriazoglou& Despina Politou.
Publisher: www.iwn.gr, 2005